Initialization

First, we assume a rating matrix consisting ofn users who have provided ratings on m items. The DS generates a cyclic group G, of large prime order q1 and q2 with generator g and

N =q1q2. The server picks two random generators g, ufrom Gand sets h =uq2. Then h is a random generator of the subgroup of G of order q1. The public and private keys are defined byP K ={N, G, G1, e, g, h}and SK=q1 respectively. Note that theDS stores the secret key for use in decryption phase only.

Protocol description

Step 1: Each user ui locally performs the following operation for all items ij, where

j= 1,2, ..., m. Ri,j =     ri,j q r2 i,1+· · ·+ri,m2 ·t     (4.1)

where bc represents round function to get the floor values and t represents positive integer number such as 10 or 100. Before encrypting Ri,j, each user multiplies it with t, which could

be made public, since the BGN cryptosystem can not handle fraction numbers.

Step 2: The DS publishes the public key of BGN to all users ui. For each itemij, each

user ui encryptsRi,j and ratingsri,j as,

Privacy Preserving Item Ranking based on User Similarity 85

Bi,j =E(ri,j) =gri,jhxi (4.3)

where ri,j and Ri,j are integers in the set {0,1, ..., T}, T must not be large and T << q2.

Ai,j and Bi,j denote the ciphertexts of Ri,j and ri,j respectively. wi and xi represent two

random numbers for different encryptions. Once the encryption is done, all users ui, where

i={1,2, ..., n}, send the following message M1,i containing above ciphertexts toRS:

M1,i={Ai,j, Bi,j}j=1,2,...,m

4.1.2.2 Recommendation Generation Settings

For the recommendation process, only one userui (target user) participates in the system (for

the rest of the section of this chapter we will denote the target user as ui and other users as

uk, where 1≤k≤nand ui =6 uk). All other users remain off-line. The RS holdsAi,j and Bi,j

from the initialization stage which will be used to calculate similarities and recommendations. To sign the ciphertexts of recommendations for the target user, the RS generates the public key and secret key as P K1 and SK1 respectively.

Protocol Description

The target user ui sends a request to RS for recommendations1. According to our proposed

model, the target user receives encrypted information of the other usersukasE(Rk,j) from the

RS, where 1 ≤k≤n. Then, the userui calculates similarities between it and other usersuk

locally. Once completed, ui returns the resultant ciphertexts of similarity to theRS. TheRS

computes recommendations foruiusing the encrypted similarity and other usersuk’s encrypted

ratings. The resultant ciphertexts of recommendations are permuted (the permutation order is disclosed to the target user) and signed by the RS. Therefore, the DS is unable to identify the correct indices of the recommendation list even after decryption. Furthermore, because of the signature the DS verifies that the target user is authentic as well as the ciphertexts

1

Notice that in our proposed model all users have to be online at the initialization phase only. During the similarity computation and recommendation phases, only the target user has to be online to get recommendations fromRS.

Privacy Preserving Item Ranking based on User Similarity 86

Figure 4.2: Similarity computation between target userui and other users uk.

of recommendations. After receiving recommendations (item index from the permuted list) from the DS, the target user is able reorder the list and finds the exact recommendation. The detailed steps are described below.

Similarity Computation: We introduce the privacy preserving version of the similarity computation between the target user ui and another user uk. Recalling that the process of

similarity computation is defined by

s(ui, uk) = m X

j=1

Rk,j·Ri,j (4.4)

where both Ri,j and Rk,j are private messages for users ui and uk respectively. Figure 4.2

shows the secure similarity computation by target user ui where s/he receives all other users’

ciphertextsE(Rk,j) (ui 6=uk) and computes encrypted similarity locally. The detailed process

is as follows.

Step 1: The target user holds Ri,j from Equation 4.1 of the initialization phase and the

RS sends encryptedRk,j asAk,j=E(Rk,j) from other users to target user as follows

M2 ={Ak,j}1≤k≤n;j=1,2,...,m

Step 2: The target user ui receives the ciphertexts and raises its plaintexts Ri,j to the

power of ciphertexts E(Rk,j) for all items j= 1,2, ..., m(as shown in Figure 3) as follows:

Privacy Preserving Item Ranking based on User Similarity 87

whereCi,k,j denotes the resultant ciphertexts calculated by the target userui for each itemij.

The similarity between userui and uk is then computed by,

Di,k = m Y j=1 Ci,k,j = m Y j=1 E(Ri,j·Rk,j) =E(s(ui, uk)) (4.6)

whereDi,k denotes the ciphertexts of similarity between user ui and uk.

Theorem 5. If all users and server follow the protocol, we have that Di,k =E(s(ui, uk)).

Proof. Using Equation 4.5, the target user ui computes

Ci,k,j =E(Rk,j)Ri,j = (gRk,jhyi)Ri,j = (gRk,j·Ri,jhyi·Ri,j)

=E(Rk,j·Ri,j)

where yi is a random number and yi ·Ri,j is distributed uniformly in ZN. Thus Ci,k,j is a

uniformly distributed encryption of Ri,j ·Rk,j. Using the homomorphic properties of BGN

cryptosystem, the RS computes the ciphertexts in Equation 4.6 as,

Di,k = m Y j=1 Ci,k,j = m Y j=1 E(Ri,j·Rk,j) = m Y j=1 gRi,j·Rk,j _·hr3,i·Rk,j =g Pm j=1Ri,j·Rk,j_·h Pm j=1r3,i·Rk,j =E( m X j=1 Ri,j·Rk,j) =E(s(ui, uk))

where Pm_j=1yi·Rk,j is distributed uniformly inZN. Thus Fi,k is also a uniformly distributed

encryption ofPm_j=1Ri,j·Rk,j.

Recommendation Generation: Since we are interested in finding the highest score among all predicted recommendations (items’ ranking), the denominator part of Equation 2.13, which is the sum of similarities, can be eliminated as it will be same for allPi,j. Therefore we

can rewrite Equation 2.13 as

Pi,j = X

1≤k≤n,k6=i

Privacy Preserving Item Ranking based on User Similarity 88

where rk,j and s(ui, uk) denote the ratings of all other users uk except the target user ui and

the similarities between the target user ui and all other users uk, respectively. The detailed

steps of our privacy preserving recommendation generation are given below.

Step 1: For all items j = 1,2, ..., m, the RS computes the encrypted recommendations using the bilinear pairing2 of the BGN cryptosystem as follows.

Fi,j = Y 1≤k≤n,k6=i e(Bk,j, Di,k)hz1k =E( X 1≤k≤n,k6=i rk,j·s(ui, uk)) (4.8)

where Fi,j denotes the encrypted recommendation of Equation 4.7, zk ∈ {1,2, ..., N −1} are

random numbers, andh1 =e(g, h).

Step 2: The RS permutes the list of encrypted recommendations in a random permuted order as

{Hij}j=1,2,···,m=P erm{Fij}j=1,2,···,m (4.9)

whereP erm() and {Hi,j}j=1,2,···,m represent the permutation function and new permuted list

of recommendations forj= 1,2, ..., mitems, respectively. Then, theRS assigns{Hi,j}j=1,2,···,m

in a messageM3 asM3 ={Hi,j}j=1,2,...,m and signs the message using secret key SK1 for the user ui as

δ=Sign(M3, SK1) (4.10)

whereδ,Sk1 and Sign() represent signatures, secret key and signature protocol, respectively. The RS discloses the permutation order (denoted as P erm order) to ui. Moreover the RS

sends the messages of ciphertexts and signatures to the target user as

M3={Hi,j}j=1,2,...,m

M4={δ, P K1, P erm order}

2_{The bilinear pairing map allows for multiplication of plaintexts in their encrypted domain. Using this}

process only one multiplication is possible each time. Since this process allows for multiplication of two plaintexts in encrypted form, unlike the similarity computation no user has to be online except the target user while generating recommendations.

Privacy Preserving Item Ranking based on User Similarity 89

Figure 4.3: An example of decryption protocol. (a) The ciphertexts with original index and their permuted index in a random order. (b) The target user sends the permuted list of ciphertexts to DS for decryption. (c) The DS decrypts the recommendation and finds the maximum from permuted list. (d) TheDS sends the index of maximum recommendation. (e) The target user reorders the list to find recommended item.

Step 3: After receiving above messages, target user keeps the permutation order and passes the rest of the messages toDS. The DS verifies the signature as

V erif y(M3, δ, P K1) =T rue or F alse (4.11) where V erif y() represents the signature verification function. The signature is only verified as authentic if the output is T rue. After running the verification protocol, for any number of items j, theDS decrypts the ciphertexts of the encrypted recommendations by raising the private key q1 to the power of ciphertexts as

di,j = (Hi,j)q1 (4.12)

wheredi,j represents the decryption of thej’th ciphertext of recommendations. To recover the

recommendation score, theDS just needs to compute the discrete logarithm [112] ofdi,j to the

basegq1_.

Pi,j =loggq1(d_i,j) =

X

1≤k≤n,k6=i

rk,j·s(ui, uk) _(4.13)

where Pi,j represents the original recommendation score of item ij for user ui. The DS finds

the maximum results among all{Hi,j}j=1,2,...,m and acknowledges the corresponding index to

target user ui. Finally the target user retrieves the actual item by matching {Hi,j}j=1,2,...,m

with the original list{Fi,j}j=1,2,...,m(shown in Figure 4.3). In this way, the most suitable item

among the similar ones is recommended to the target user instead of providing the predicted numerical ratings.

Privacy Preserving Item Ranking based on User Similarity 90

Theorem 6. If the target user ui and all servers follow the protocol, we have that Fi,j =

E(P

1≤k≤n,k6=irk,j·s(ui, uk)).

Proof. From Equation 4.8 the RS homomorphically computes

Fi,j = Y 1≤k≤n,k6=i e(Bk,j, Di,k)hz1k = Y 1≤k≤n,k6=i e(grk,j_·hwk_{, g}s(ui,uk)_·hyi·Rk,j_)hzk 1 = Y 1≤k≤n,k6=i e(grk,j+αq2wk_{, g}s(ui,uk)+αq2yi·Rk,j_)hzk 1 = Y 1≤k≤n,k6=i e(g, g)(rk,j+αq2wk)(s(ui,uk)+αq2yiRk,j)_hzk 1 = Y 1≤k≤n,k6=i (e(g, g)rk,j·s(ui,uk) ·hzk+s(ui,uk)wk+rk,jyiRk,j+αq2wkyiRk,j 1 ) =E( X 1≤k≤n,k6=in rk,j·s(ui, uk))

wherewk,yiandzkdenote the random numbers under different encryptions andzk+s(ui, uk)wk+

rk,jyiRk,j+αq2wkyiRk,j is uniformly distributed inZN. Thus Fi,j is an uniformly distributed encryption ofP

1≤k≤n,k6=irk,j·s(ui, uk).

Remark 1. The range of rk,j and s(ui, uk) is not large; therefore computing the discrete

logarithm to findP

1≤k≤n,k6=irk,j·s(ui, uk) is not hard.

In document Privacy preserving recommender systems (Page 100-106)